Bad proxy, bad!

At the IEEE Symposium on Security and Privacy this year, a group from Microsoft Research and some students presented an attack on browsers using proxies. There paper can be found here. Basically any browser that was using a proxy server (either through WPAD, automatic or manual configuration) was vunerable to this attack. Basically the proxy server could respond to an https request with an error, but they could put any html/javascript/etc code in the response they wanted. For example, the server could respond with an error that also had an iframe pointing to the originally requested page. That page would then get displayed, but the attacker could inject additional javascript to steal elements off of the iframed page. They also demoed another attack in which the attacker tricked the browser into caching the actual page’s certificate but also sent some refresh code. The browser would then show the real site’s certificate info but the attackers website. This would be perfect for phishing sites.

This got me to wonder, are smart phone browsers vulnerable to this too? My guess is that they are, but to what extent. I believe that AppStore and iTunes connections are SSL. What about older Windows Mobile IE browsers? In the next few weeks I hope to code up a tool that can test these OSes against this vulnerability.